BeyondTrust recently concluded an investigation into a significant cybersecurity incident affecting its Remote Support SaaS platform. The breach, initially detected on December 5, 2024, impacted 17 customers through unauthorized access enabled by a compromised API key.

Investigation findings revealed that attackers exploited a zero-day vulnerability in a third-party application within BeyondTrust’s AWS environment. This breach allowed threat actors to obtain an infrastructure API key, which was subsequently used to access Remote Support infrastructure in a separate AWS account.

Two security vulnerabilities were identified during the investigation:
– CVE-2024-12356
– CVE-2024-12686

Both vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities catalog due to evidence of active exploitation.

Response measures implemented by BeyondTrust include:
– Revoking the compromised API key
– Suspending affected customer instances
– Providing alternative Remote Support SaaS instances

The U.S. Treasury Department confirmed it was among the affected organizations. The attack has been attributed to Silk Typhoon (formerly Hafnium), a China-linked hacking group. In response, the Treasury Department imposed sanctions on Shanghai-based cyber actor Yin Kecheng for his alleged involvement in the network breach.